[Webkit-unassigned] [Bug 95073] WindowShell and global registers break IC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 27 21:21:40 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=95073





--- Comment #8 from Yusuke Suzuki <utatane.tea at gmail.com>  2012-08-27 21:21:42 PST ---
(In reply to comment #7)
> I think this last paragraph explains why you don't need forceUncacheable().  Why do you need to force uncacheable when JSC already chooses not to perform caching since baseValue is not the same as slotBase?

Yes. But this is self IC case, not proto or chain case.
self IC creation is guarded by this, but proto or chain IC isn't guarded.

So, chain IC example,

Object.prototype.a = 1;
function lookup() {
  window.a  // lookup
}
lookup();  // create chain IC #1
lookup();  // lookup from chain IC #2
window.a = 0;  // #3
lookup();  // lookup from invalid chain IC #4

when #1, lookup succeeded and slot.baseValue() == ObjectPrototype. So we can pass the chain IC condition and create chain IC on this point.
https://trac.webkit.org/browser/trunk/Source/JavaScriptCore/jit/JITStubs.cpp#L969
At this point, because `baseValue` is WindowShell, so prototype chain is like this.

[WindowShell structure (not JSGlobalObject structure)]
[WindowPrototype structure]
[ObjectPrototype structure]

Problem is that first structure stored in the StructureChain is WindowShell structure, not JSGlobalObject structure.
As the result, when #2, because `baseCell` is WindowShell, chain IC conditions are passed and lookup is executed by chain IC.

And when #3, we can add new property to JSGlobalObject. Because WindowShell passes put operation to JSGlobalObject, this new property is added to JSGlobalObject. At this time, JSGlobalObject structure transition(addPropertyTransition) occurs. But unfortunately, because this is JSGlobalObject structure transition, WindowShell structure isn't changed, this is problem.

As the result, when #4, because WindowShell structure isn't changed in spite of JSGlobalObject structure change, invalid chain IC conditions are passed unfortunately and chain IC lookup is executed ignoring JSGlobalObject property `a`.

`forceUncacheable` prevents IC creation on lookups through WindowShell object because WindowShell cannot reflect current object shape by its structure.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list